The legislation appearing in the timeline is:

• ePrivacy Directive: this was implemented in the UK in the Privacy and Electronic Communications Regulations (PECR). While PECR has been in force for over 20 years, it has been amended several times, most recently by the Data (Use and Access) Act 2025 (DUAA), which is coming into force in stages. The ICO is currently consulting on further changes to the rules governing cookies and related technologies.
• GDPR: while this may still feel relatively new, it has now been applicable for over seven years, together with supplementary national legislation, such as the Data Protection Act 2018 in the UK. Following the end of the Brexit transition period, the UK GDPR came into force in January 2021 and is now being amended by the DUAA.
• NIS and NIS2: the original Network and Information Systems Directive (NIS) imposed cybersecurity requirements on organisations in certain sectors. NIS2 has extended the in-scope sectors and updated their obligations. The deadline for EU member states to implement NIS2 in national law was October 2024, however, a significant number of states have not yet fully done so.
• EU Digital Markets Act: this creates new obligations for large technology platforms acting as gatekeepers providing core platform services.
• EU Digital Services Act: this aims to harmonise conditions for the provision of intermediary services, including transparency requirements and rules on targeted advertising.
• DORA: this strengthens the cybersecurity requirements for financial services entities in the EU.
• EU AI Act: this regulates AI systems placed on the EU market and is becoming applicable in stages, as set out in the timeline.
• Data (Use and Access) Act 2025: this amends the UK GDPR, Data Protection Act 2018 and PECR, primarily to relax certain requirements. Some of its provisions have already come into force, but most changes to data protection law are expected to come into force on dates between now and summer 2026. For more information about the DUAA, please read our article and listen to the recording of our webinar.
• EU Data Act: this introduces new rules on access to, and use of, data generated by connected products and related services. It starts to become applicable on 12 September 2025. On 16 September, we are running a webinar on the Data Act, together with the Data (Use and Access) Act 2025’s Smart Data provisions. If you would like more information, please sign up to join us.
• Cyber Security and Resilience Bill: the UK government is expected to publish this Bill by the end of 2025, bringing the existing UK NIS Regulations closer to NIS2.
• AI Bill: the UK government is expected to publish a draft Bill to regulate AI at some point in 2026, although it is currently uncertain what approach this will take. It seems likely that the government will try to strike a balance between the EU approach and a lighter-touch approach more likely to maintain UK-US relations.
• Cyber Resilience Act: this EU law introduces cybersecurity requirements for connected devices and is becoming applicable in stages, as set out in the timeline.
• EU Digital Fairness Act and Biotech Act: the European Commission is expected to adopt these new pieces of legislation in 2026. The Digital Fairness Act will place obligations on online services to prevent dark patterns, addictive design and misleading marketing. We’ve included the Biotech Act in the timeline because it is likely to contain provisions about access to data, including anonymised health data, to help Europe become more competitive in the biotech sector.